Introduction

With the many types of penetration testing available to businesses, it can be difficult to distinguish which ones you might need. They are built around specific sizes of businesses and companies, but one type that most can use are physical penetration tests. These types of tests can be relatively expensive, considering that traveling costs are usually necessary, but it is a good way to find out how secure your business’s property is.

When it comes to penetration tests, businesses often don’t think of the physical aspect of it. Granted, many pen tests are for networks and computers, but the physical portions are important as well. These physical pen tests revolve around checking the physical building of the business, along with server rooms, employee areas, and various restricted areas that normal people shouldn’t be able to get to. This can include reviewing guest and visitor policies as well.

What is a physical penetration test?

A physical penetration test, or physical pen test, is a type of penetration test that tests the physical security of a business’s building, server room, and various other restricted areas that shouldn’t be open to people without an escort. While bad actors will primarily use tactics like phishing, vishing, and other various social engineering, there are some that will resort to getting into an establishment.

The building isn’t the only thing to consider, though. Some businesses don’t realize that they may be leaving sensitive information where people can easily get to it. Physical documents are something people don’t often think about when it comes to cybersecurity. If a business simply throws sensitive documents away, it’s entirely possible that a bad actor will have access to them. Trash gets thrown into a dumpster, which are usually unsecured.

It’s important to consider what’s accessible on a business’s premises. Even if documents are disposed of properly, it’s entirely possible a bad actor may try to sneak in under the guise of a contractor or employee. If anyone has sensitive documents on desks, it’s a simple matter of walking by and snapping photos of these documents, which can be quite detrimental to the business.

What happens during a Physical Penetration Test?

After the test has been agreed upon by the business and cybersecurity firm, including travel and other expenses, a security analyst will travel to the physical locations agreed upon. Once there, they will be doing a number of different things to test policies and employee attention. There are various events they can perform, including:

  • Pretexting
  • Impersonations
  • Tailgating
  • Dumpster Diving
  • USB Drops
  • RFID Hacking
  • Destructive Entry

There are many things that a security analyst can do, but these are the usual methods used to get into a building. Depending on what is agreed upon, this can also be destructive force to get into the building. Usually, though, it’s more about sneaking in.

Pretexting

Pretexting is usually the beginning of an attack on a business. Using phishing, vishing, and various other methods, a bad actor will attempt to insert the idea of a contractor or employee coming to the location. They will give information of a fake situation, usually a checkup or IT-related thing, in order to make other social engineering situations seem more probable.

The bad actor will contact someone at the business and will try to let someone know that there is an outstanding issue. With this information implanted, it is possible that an employee might be less likely to question the situation since they were told ahead of time. This increases the likelihood of an impersonator getting through.

Impersonations

Whenever your business becomes the target of a social engineering campaign, a security analyst will attempt to impersonate contractors or employees to get into the building. This usually involves a bit of information gathering before-hand, including with phishing and vishing. There are plenty of contractors and other businesses that your company may work with, and as such, it’s important to verify everyone who tries to claim that they work with you.

Even though it might seem like a silly idea, a bad actor may try to use a disguise to get into your business. They may pose as an electrician, a plumber, or some other job that is common for a business to need. With an official-looking uniform, a fake ID, and more, a bad actor will attempt to infiltrate your business with the pretense of fixing something or checking on something that may have routine checkups. With pretexting, this method of infiltration can be quite successful for many bad actors.

Tailgating

If someone shows up with any sort of job to do, it’s always wise verify the person and the job that is being done. However, there are times when one of these bad actors will try to get into a restricted area by closely following an employee. This usually involves a locked or secure door, but it can be done in any manner if the employee is not paying attention. A bad actor will follow closely behind in an attempt to get through the door, now that it has been opened.

However, this also includes peeking over an employee’s shoulder or workstation in order to skim personal or sensitive information from their devices. Whether it’s a computer, cell phone, or other device, someone may stick close to examine what is on the screen or what is being typed. This is why it is important to be aware of your surroundings—someone standing behind you may try to watch for you to enter a password.

Dumpster Diving

While not exactly the most sanitary thing to do, some bad actors will do anything to get information. They hope that the business they’re targeting will forget about their security policies. When it comes to disposing of documents and pieces of media, there should be special policies that dictate how to do that. If they aren’t destroyed properly, there is a possibility that a bad actor could get sensitive information about the company, employees, and possibly customers.

If documents and media devices aren’t shredded or broken down, it’s entirely possible that they will simply be discarded into the trash can. Afterward, it will be taken to a dumpster or trash area where the documents will be exposed to anyone who might come by. These bad actors will get into the dumpster and look through papers and files and other media sources that might have been thrown away, eventually obtaining the sensitive info that is there.

USB Drops

In combination with these other attacks, USB drops are an older—but still effective—method of hacking. A bad actor will drop one or multiple USB flash drives around a business, usually in a parking lot, inside of the business, or nearby. They are hoping that someone, employee or customer alike, might pick up and take it to their work station or personal computer.

All you have to do is plug in the USB drive. These drives may contain malicious software that can immediately be installed without any sort of permission or agreement from the user. Once it is inserted, the program can run, installing any sort of malicious software, be it ransomware or otherwise, right into the network of the company. It’s a good idea never to plug in any unknown flash drive or piece of media into your computer.

RFID Hacking

When it comes to entry into a building or office space, there may be a contactless entry method that employees can use. This is called Radio Frequency Identification, or RFID. Using different methods of radio frequency, a person can open a door with a simple keycard or cellular device. However, with this method, it is important to have heavy protections with it.

Hacking RFID devices has become a more popular method of entry lately. Bad actors can use different methods like cloning, jamming, scanning, and even recording tog et information used with an RFID device. There are many ways to prevent these devices from being hacked, though, including RFID blockers, weaker signals for access cards, and more.

Destructive Entry

While not the most typical method of entry used by bad actors, they still may try to do it if they want something bad enough. Destructive methods of entry include things like lockpicking, breaking windows or other various entry points, and forcing things open that shouldn’t normally be open. This is a dangerous method, but it can be used by bad actors. Physical security is necessary to prevent these types of entry, like security guards or active cameras.

Conclusion

There are many ways that physical penetration testing can occur. Using the methods above, a security analyst from a cybersecurity firm may try to physically enter your company’s facilities. All companies should have policies that go over visitors, contractors and maintenance, and more. With these securities in place, it makes things much more difficult for bad actors to get through and into your workplace.

With these penetration tests, a report will be generated with all the information obtained from it. The analyst will likely travel to the facilities in question and attempt some or all of these methods. If any are successful, they will be reported and given to the business to review and remediate.

Eddy Berry, Security Research Analyst

Eddy has been researching cybersecurity for a few years now. Finding specific trends and best practices is something he takes pride in, assisting in finding news and government regulation that are on the rise. He researches topics and writes articles based on current events and important vulnerabilities that are affecting people, always hoping to get the necessary cybersecurity steps to those that need them.